[DRE-maint] Redmine ActionView::Template::Error after recent Rails security update
Sven Eckelmann
sven at narfation.org
Tue Sep 6 07:41:45 BST 2022
On Tuesday, 6 September 2022 06:12:21 CEST Jude Hungerford wrote:
[...]
> Looking in /var/log/redmine/default/production.log, I see the following
> error message:
>
> """
> Started GET "/redmine/" for 203.221.207.132 at 2022-09-06 10:27:56 +1000
> Processing by WelcomeController#index as HTML
> Current user: jude (id=4)
> Rendering welcome/index.html.erb within layouts/base
> Rendered welcome/index.html.erb within layouts/base (3.5ms)
> Completed 500 Internal Server Error in 19ms (ActiveRecord: 4.9ms)
>
> ActionView::Template::Error (unknown keywords: permitted_classes, aliases):
> 11: <%= favicon %>
> 12: <%= stylesheet_link_tag 'jquery/jquery-ui-1.11.0', 'application',
> 'responsive', :media => 'all' %>
> 13: <%= stylesheet_link_tag 'rtl', :media => 'all' if l(:direction) ==
> 'rtl' %>
> 14: <%= javascript_heads %>
> 15: <%= heads_for_theme %>
> 16: <%= call_hook :view_layouts_base_html_head %>
> 17: <!-- page specific tags -->
>
> app/models/user_preference.rb:61:in `[]'
> app/models/user_preference.rb:79:in `warn_on_leaving_unsaved'
> app/helpers/application_helper.rb:1493:in `javascript_heads'
> app/views/layouts/base.html.erb:14:in
> `_app_views_layouts_base_html_erb__2757522946862800469_70311845404380'
> lib/redmine/sudo_mode.rb:63:in `sudo_mode'
> """
This is also discussed [1] in the rails issue tracker. Two problematic pieces
(with following workarounds) are mentioned there.
* ruby-psych
--- /usr/lib/ruby/2.5.0/psych.rb.old 2022-09-06 08:35:25.169690412 +0200
+++ /usr/lib/ruby/2.5.0/psych.rb 2022-09-06 08:27:29.875033328 +0200
@@ -544,3 +544,26 @@
end
# :startdoc:
end
+
+# Workaround for https://lists.debian.org/debian-backports/2022/09/msg00003.html
+module Psych
+ module_function
+
+ class << self
+ alias original_safe_load safe_load
+ end
+
+ def safe_load(yaml,
+ whitelist_classes = [],
+ whitelist_symbols = [],
+ arg_aliases = false,
+ filename = nil,
+ symbolize_names: false,
+ permitted_classes: whitelist_classes,
+ aliases: false)
+ original_safe_load(
+ yaml, permitted_classes, whitelist_symbols, aliases || arg_aliases, filename,
+ symbolize_names: symbolize_names,
+ )
+ end
+end
* redmine
--- /usr/share/redmine/config/application.rb.old 2022-09-06 08:36:35.618677157 +0200
+++ /usr/share/redmine/config/application.rb 2022-09-06 08:37:33.415486699 +0200
@@ -20,6 +20,9 @@
config.active_record.store_full_sti_class = true
config.active_record.default_timezone = :local
+ # Workaround for https://lists.debian.org/debian-backports/2022/09/msg00003.html
+ config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time, ActiveSupport::HashWithIndifferentAccess]
+
# Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
# Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
# config.time_zone = 'Central Time (US & Canada)'
I hope these pointers help the actual maintainers to find a good solution
Kind regards,
Sven
[1] https://github.com/rails/rails/issues/45590#issuecomment-1236581816
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20220906/cfefd2d7/attachment-0001.sig>
More information about the Pkg-ruby-extras-maintainers
mailing list